Security Engineer 1, Application Security

About Trail of Bits

Trail of Bits, founded in 2012 by three seasoned hackers without outside funding, is a security-focused company known for helping protect highly targeted organizations and devices. The team combines original research with practical engineering to reduce the risks created by emerging technologies and to improve how the security community understands the systems shaping modern life.

The company takes a proactive stance toward cybersecurity, working at the edge of defense against attackers. Its research-driven and customized engineering approach is designed to keep client defenses aligned with rapidly changing threats.

Trail of Bits also shares security knowledge broadly through blogs, whitepapers, newsletters, meetups, and open-source tools, reinforcing its commitment to making security information more accessible.

Role Overview

Trail of Bits is hiring a Security Engineer 1 for its expanding Software Assurance practice. In this role, you will support security assessments of client software alongside senior engineers, identify weaknesses across application and system layers, and take ownership of parts of client engagements. You will investigate vulnerabilities, develop analysis tools, and help clients understand both the problem and the path to remediation.

The work is practical and self-directed: you will analyze complex codebases, create custom tooling, perform threat modeling, and carry findings through to client-facing delivery.

What You Will Do

• Take ownership of security review work for specific modules, components, or systems within larger client engagements, from discovery through delivery.
• Investigate application and system software to find, confirm, and explain real vulnerabilities, including exploitation paths and impact.
• Create proof-of-concept code when needed to validate findings.
• Design automation and purpose-built tooling that improves vulnerability discovery and testing.
• Perform architecture reviews and threat modeling to identify attack surfaces, trust boundaries, and data flows, then recommend practical mitigations.
• Communicate technical findings clearly to engineering teams and manage client communication for your assigned scope.
• Contribute to security research efforts by building tools, documenting results, and staying current in application security and vulnerability research.

What You Bring

• Proven vulnerability research ability, demonstrated through CTF results, CVE disclosures, bug bounty findings, or comparable security research.
• Strong code-reading and code-analysis skills, with the ability to trace execution, spot logic flaws, and distinguish real vulnerabilities from false positives.
• Comfort writing code in at least two relevant languages such as Rust, Go, C, C++, Python, JavaScript, TypeScript, or similar.
• Working knowledge of memory corruption issues such as buffer overflows and use-after-free bugs, along with mitigations like ASLR, DEP, and CFI.
• Solid understanding of operating systems, IPC, privilege boundaries, and system internals.
• Ability to work independently, make progress without close supervision, and drive investigations to completion.
• Strong technical communication skills and the ability to present findings in a clear, defendable, and actionable way.

Nice to Have

• Recent or active CTF participation, including strong rankings or wins.
• Prior publication of vulnerability research, such as CVEs, bug bounty reports, responsible disclosures, or write-ups.
• Contributions to open-source security projects, tools, or libraries.
• Experience with mobile platforms, including Android, iOS, or macOS internals and binary analysis.
• Published technical writing, conference talks, or other public documentation on security topics.
• Exposure to cloud security across AWS, GCP, or Azure.
• Background in kernel work, drivers, or other low-level system programming.

Who You Are

This role is suited to someone with roughly 0 to 2 years of experience in security, or a software engineer who has built a strong security foundation. Trail of Bits is looking for people who can already demonstrate the ability to discover vulnerabilities, understand why systems fail, and take ownership of a piece of work from start to finish.

The company values proven capability over years on paper, and it is especially interested in candidates such as CTF participants, CVE researchers, bug bounty hunters, and strong engineering graduates who have built security tools.

Compensation and Employment Details

This is a full-time remote position in the United States. The base salary range is $100,000 to $160,000 per year, not including benefits and potential bonuses. Final compensation depends on role level, location, contract type, skills, experience, and educational background. The salary range shown applies across U.S. locations.

Additional Requirements and Notes

Trail of Bits participates in the U.S. E-Verify program for employment eligibility verification. Applications are reviewed only when completed through the company careers page. Applicants who submit an application will also be added to the company newsletter, with an option to unsubscribe at any time.

Benefits, Perks & Wellness

• Performance-based bonuses in addition to base pay.
• Employer-paid medical, dental, vision, disability, and life insurance.
• 401(k) plan with a 5% match on base salary.
• 20 days of paid vacation, with additional flexibility depending on local legal requirements.
• Four months of parental leave for new family members.
• $10,000 relocation assistance for employees who choose to move to New York City.
• $1,000 work-from-home stipend to support a comfortable home office.
• $750 annual learning and development stipend.
• Company-funded all-team celebrations, including travel and lodging.
• Philanthropic donation matching of up to $2,000 per year.